CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Finding SUNBURST backdoor with Zeek logs & Corelight

UPDATE 12-16-20: Corelight Resources

——————————————–

FireEye’s threat research team has discovered a troubling new supply chain attack targeting SolarWind’s Orion IT monitoring and management platform. The attack trojanizes Orion software updates to deliver malware called SUNBURST, which opens a stealthy backdoor for command-and-control and other malicious activity that blends in with Orion Improvement Program (OIP) protocol traffic. 

Scott Runnels, a Mandiant researcher involved in the discovery, revealed that Zeek played a key role in FireEye’s investigation and discovery of this new threat: 

Given the widespread use of the Orion software we want to provide the community and our customers with some preliminary guidance on how to use Zeek and related tools to manually find and automatically detect this novel threat in their environment.  

We will host a webinar this Wednesday, Dec. 16 to deep dive on these methods and tools, which include: 

  • Zeek log queries: Network IOCs for this attack span a range of protocols parsed by Zeek including  DNS, HTTP, and X509 certificates. Targeted queries in your SIEM against Zeek logs can reveal potential evidence of compromise related to this attack, for example: 
  • Sigma rules/queries: Community-developed Sigma rules to detect SUNBURST are available in SOC Prime’s Threat Detection Marketplace, which you can access here. Corelight customers with supported SIEM platforms (Splunk, Elastic, Humio, QRadar, ArcSight, Chronicle, et al.) can copy/paste the queries and/or detections directly into their SIEM environment. 
  • Suricata Rules in ET Open Ruleset: Proofpoint Emerging Threats has added detections as Suricata rules in their latest ET Open Ruleset release, which you can download here. Corelight customers with AP 200, AP 1001, and/or AP 3000 Sensors and a Suricata subscription can download and run these rules on their sensors.

Again, we will host a webinar on Wednesday, Dec. 16 at 7a PST / 10a EST / 3p GMT to deep dive on these methods and tools. 

If you would like to attend, please register here: https://www3.corelight.com/finding-sunburst-solarwinds-zeek-suricata

 

Recent Posts